Fix PHP warnings, improve security access.

8 years ago · 568d5fd2d5
parent 1394684773
commit 568d5fd2d5
4 changed files with 55 additions and 34 deletions
--- a/main/announcements/announcements.php
+++ b/main/announcements/announcements.php
@ -97,6 +97,11 @@ $searchFormToString = '';

 switch ($action) {
    case 'move':
+
+        if (!$allowToEdit) {
+            api_not_allowed(true);
+        }
+
        /* Move announcement up/down */
        if (!empty($_GET['down'])) {
            $thisAnnouncementId = intval($_GET['down']);
@ -282,7 +287,7 @@ switch ($action) {

        if (empty($count)) {
            $html = '';
-            if ($allowToEdit && (empty($_GET['origin']) or $_GET['origin'] !== 'learnpath')) {
+            if ($allowToEdit && (empty($_GET['origin']) || $_GET['origin'] !== 'learnpath')) {
                $html .= '<div id="no-data-view">';
                $html .= '<h3>'.get_lang('Announcements').'</h3>';
                $html .= Display::return_icon('valves.png', '', [], 64);
@ -346,6 +351,10 @@ switch ($action) {
                    api_not_allowed();
                }

+                if (!$allowToEdit) {
+                    api_not_allowed(true);
+                }
+
                if (!api_is_session_general_coach() ||
                    api_is_element_in_the_session(TOOL_ANNOUNCEMENT, $_GET['id'])
                ) {
@ -368,6 +377,10 @@ switch ($action) {
            api_not_allowed(true);
        }

+        if (!$allowToEdit) {
+            api_not_allowed(true);
+        }
+
        // DISPLAY ADD ANNOUNCEMENT COMMAND
        $id = isset($_GET['id']) ? intval($_GET['id']) : 0;
        $url = api_get_self().'?action='.$action.'&id='.$id.'&'.api_get_cidreq();
@ -616,25 +629,27 @@ switch ($action) {
                            $sendToUsersInSession
                        );
                    }
-
-                    Display::addFlash(
-                        Display::return_message(
-                            get_lang('AnnouncementAdded'),
-                            'success'
-                        )
-                    );
-
-                    // Send mail
-                    if (isset($data['email_ann']) && $data['email_ann']) {
-                        AnnouncementManager::sendEmail(
-                            api_get_course_info(),
-                            api_get_session_id(),
-                            $insert_id,
-                            $sendToUsersInSession
+                    if ($insert_id) {
+                        Display::addFlash(
+                            Display::return_message(
+                                get_lang('AnnouncementAdded'),
+                                'success'
+                            )
                        );
+
+                        // Send mail
+                        if (isset($data['email_ann']) && $data['email_ann']) {
+                            AnnouncementManager::sendEmail(
+                                api_get_course_info(),
+                                api_get_session_id(),
+                                $insert_id,
+                                $sendToUsersInSession
+                            );
+                        }
+                        header('Location: '.$homeUrl);
+                        exit;
                    }
-                    header('Location: '.$homeUrl);
-                    exit;
+                    api_not_allowed(true);
                } // end condition token
            }
        }
--- a/main/inc/ajax/statistics.ajax.php
+++ b/main/inc/ajax/statistics.ajax.php
@ -12,6 +12,14 @@ $action = isset($_REQUEST['a']) ? $_REQUEST['a'] : null;
 $sessionDuration = isset($_GET['session_duration']) ? (int) $_GET['session_duration'] : 0;

 switch ($action) {
+    case 'get_user_session':
+        $list = [];
+
+        $sql = "";
+
+        echo json_encode($list);
+        break;
+        break;
    case 'recentlogins':
        header('Content-type: application/json');
        $list = [];
--- a/main/inc/lib/AnnouncementEmail.php
+++ b/main/inc/lib/AnnouncementEmail.php
@ -30,9 +30,8 @@ class AnnouncementEmail
        $this->session_id = empty($sessionId) ? api_get_session_id() : (int) $sessionId;

        if (is_numeric($announcementId)) {
-            $announcementId = AnnouncementManager::get_by_id($courseInfo['real_id'], $announcementId);
+            $this->announcement = AnnouncementManager::get_by_id($courseInfo['real_id'], $announcementId);
        }
-        $this->announcement = $announcementId;
        $this->logger = $logger;
    }

@ -279,9 +278,8 @@ class AnnouncementEmail
     * Send emails to users.
     *
     * @param bool $sendToUsersInSession
-     * @param bool $sendToDrhUsers       send a copy of the message to the DRH users
-     * @param int  $senderId
-     *                                   related to the main user
+     * @param bool $sendToDrhUsers send a copy of the message to the DRH users
+     * @param int  $senderId       related to the main user
     */
    public function send($sendToUsersInSession = false, $sendToDrhUsers = false, $senderId = 0)
    {
--- a/main/inc/lib/AnnouncementManager.php
+++ b/main/inc/lib/AnnouncementManager.php
@ -45,8 +45,8 @@ class AnnouncementManager
                $tags[] = "((extra_".$extra['variable']."))";
            }
        }
-
-        if (!empty(api_get_session_id())) {
+        $sessionId = api_get_session_id();
+        if (!empty($sessionId)) {
            $tags[] = '((coaches))';
            $tags[] = '((general_coach))';
            $tags[] = '((general_coach_email))';
@ -798,7 +798,7 @@ class AnnouncementManager
        $courseInfo = api_get_course_info();
        $courseId = api_get_course_int_id();
        $tbl_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY);
-        $tbl_announcement = Database::get_course_table(TABLE_ANNOUNCEMENT);
+        $table = Database::get_course_table(TABLE_ANNOUNCEMENT);
        $id = intval($id);

        $params = [
@ -807,7 +807,7 @@ class AnnouncementManager
        ];

        Database::update(
-            $tbl_announcement,
+            $table,
            $params,
            ['c_id = ? AND id = ?' => [$courseId, $id]]
        );
@ -846,7 +846,7 @@ class AnnouncementManager
        }

        // store in item_property (first the groups, then the users
-        if (!is_null($to)) {
+        if (!empty($to)) {
            // !is_null($to): when no user is selected we send it to everyone
            $send_to = CourseManager::separateUsersGroups($to);

@ -954,14 +954,14 @@ class AnnouncementManager
     */
    public static function update_mail_sent($insert_id)
    {
-        $tbl_announcement = Database::get_course_table(TABLE_ANNOUNCEMENT);
+        $table = Database::get_course_table(TABLE_ANNOUNCEMENT);
        if ($insert_id != strval(intval($insert_id))) {
            return false;
        }
        $insert_id = intval($insert_id);
        $courseId = api_get_course_int_id();
        // store the modifications in the table tbl_annoucement
-        $sql = "UPDATE $tbl_announcement SET email_sent='1'
+        $sql = "UPDATE $table SET email_sent='1'
                WHERE c_id = $courseId AND id = $insert_id";
        Database::query($sql);
    }
@ -1445,22 +1445,22 @@ class AnnouncementManager
    /**
     * @param array $courseInfo
     * @param int   $sessionId
-     * @param int   $id
+     * @param int   $announcementId
     * @param bool  $sendToUsersInSession
     * @param bool  $sendToDrhUsers
     * @param Monolog\Handler\HandlerInterface logger
-     * @param int $senderId
+     * @param int   $senderId
     */
    public static function sendEmail(
        $courseInfo,
        $sessionId,
-        $id,
+        $announcementId,
        $sendToUsersInSession = false,
        $sendToDrhUsers = false,
        $logger = null,
        $senderId = 0
    ) {
-        $email = new AnnouncementEmail($courseInfo, $sessionId, $id, $logger);
+        $email = new AnnouncementEmail($courseInfo, $sessionId, $announcementId, $logger);
        $email->send($sendToUsersInSession, $sendToDrhUsers, $senderId);
    }